FOR CYBERSECURITY IN BHUTANS

ABSTRACTThis paper presents the results of open-ended survey exploring the critical success factors forcybersecurity implementation in government organisations in Bhutan. Successfulimplementation of cybersecurity depends on a thorough understanding of cyber threats andchallenges to the organisational information assets. It also depends on identification of aresponsible, dedicated personnel to lead and direct cybersecurity initiatives. Furthermore, it isimportant to know the critical areas of cybersecurity activities for management to target,prioritise and execute. Understanding of what key things need to be done right by theresponsible agency and its leader, at a particular time and in particular context, can lead tobetter decision making and resource optimisation including skills and knowledge. The surveyfindings indicate that, among other factors, awareness and training, policy and standards, andadequate financing and budgetary commitment to cybersecurity projects are three mostimportant success factors. Channelling an organisations limited resources to these few factorsis expected to enhance cybersecurity posture and its management. The research outcome hasimplications to both government and private organizations in Bhutan.

1. INTRODUCTIONCybersecurity is a global issue that affects both developed and developing countries. Bhutan,which introduced the Internet only in 1999, is facing its own sets of cyber problems. The recentonline financial scam, based on the fake email letter that was supposedly sent from the RoyalAudit Authority, caused the Bank of Bhutan to transfer 16 million (in Bhutanese currency) tothree different accounts in India, Malaysia and Thailand [1]. This cyber incident clearly showsthat Bhutan is not immune to cyber threats. Private and government websites have been defaced[2-4] and networks and systems were made inaccessible due to rampant malware and physicaldisruptions [5].In just over a decade, the Internet subscriber rate of Bhutan increased from less than 1% in 2004to 34.3% in 2013. Similarly, the mobile subscriber rate increased from 37% in 2004 to 74.3% in2013. The Internet and mobile services are now accessible in all 20 dzongkhags (or Districts) and205 Geogs (or Village blocks) [6] By 2014, there were more than 80,000 Facebook and SocialNetworking sites users, which is 10% of the countrys 750,000 people [7]According to the 11th Five Year Plan of 2013, Bhutans main ICT focus areas are to: i) implementGovernment-to-Citizens (G2C) services to improve the efficiency and quality of service deliveryNatarajan Meghanathan et al. (Eds) : NETCOM, NCS, WiMoNe, GRAPH-HOC, SPM, CSEIT - 2016pp. 49 61, 2016. CS & IT-CSCP 2016DOI : 10.5121/csit.2016.61505

50

Computer Science & Information Technology (CS & IT)

to citizens (e.g., online tax filing and birth registration) by improving accessibility, optimizinghuman resources and reducing service delivery time, ii) establish a government data centre toimprove systems reliability, accessibility and resiliency, and iii) consolidate and integrate thewide area network in the capital, which connects all central ministries, and local area networks inthe regions for smooth functioning of many services offered online. In addition, the governmentintends to explore the potential of mobile technology services including implementation offinancial payment systems [8-10].As described earlier, government ICT agenda suggests that Bhutans dependency on ICT and theInternet is growing and becoming more sophisticated. In other words, it means that its cyberlandscape is constantly changing and becoming unpredictable as more people, government,devices, systems and networks become interconnected.However, aside from the studies in [11, 12], there is no indication of how the government inBhutan will manage cybersecurity. Clearly, there is a gap of knowledge and understanding ofwhat cyber threats Bhutan is currently facing, who is responsible to lead cybersecurity initiativesand what are the critical success factors that government need to focus upon to make their cyberprogram a success.Considering that Bhutan is a developing country, hugely dependent on foreign aid fromdevelopment partners and international organizations, utilization of limited resources for thewrong strategic goals and objectives may become complete waste of national efforts. Therefore, itis important for the government, policy makers and practitioners to understand and realize whatcritical things need to done in a specific situation, at a particular time, to make implementation ofevery national program a success. An understanding of the success factors for cybersecurity iscrucial for Bhutans government, as it has neither material capacity nor human resources to tacklethe emerging cybersecurity challenges.One of the approaches to identity the critical success factors for the organizations is to use theCritical Success Factors (CSFs) method. According to [13, 14], CSFs are defined as the limitednumber of areas in which satisfactory results will ensure successful competitive performance forthe individual, department or organisation. CSFs are the few key areas where things must goright for the business to flourish and for the managers goals to be attained. CSFs are theparticular areas of major importance to a particular manager, in a particular division, at aparticular point in time.The key areas are the activities [15]:

in which favourable results are necessary to achieve goals.

where things must go right for the organisation to flourish.

that should receive constant attention from management.

Unlike other approaches, the central idea to CSF method is to focus on individual managers, byextension to organisations and individuals, and to identify their information needs. CSF is alsounique as it takes into consideration the fact that information needs vary from manager tomanager and that these needs change with time [13] and by extension with change inenvironment (e.g., technology). Thus, CSF method is a flexible and dynamic tool that can be usedto assess and identify the key areas of activities that are necessary for ensuring the success andperformance of a company or an organisation.

Computer Science & Information Technology (CS & IT)

51

While the standard approach of CSFs is to conduct a face-to-face interviews or group discussionswith key people in the organisation, this study uses open-ended survey questions to gauge whatrespondents think and believe would be the critical success factors for implementingcybersecurity in government organisations. The survey approach provides an advantage of havingmore respondents, anonymity and openness to respond to survey questions.In the survey, the study asked four open-ended questions to the participants:

Please list three of the greatest threats to information resources in your organisation?

Who do you perceive as being responsible for information security in your organisation?

Please list issues that you think are inhibiting cybersecurity effectiveness in yourorganisation?

Please list things that you think would be critical success factors for implementation ofcybersecurity?

Complete understanding of current cybersecurity situation and context is important. Therefore,

the purpose of the study is soliciting knowledge and information on what challenges governmentorganisations are currently facing, who respondents think should be make responsible forcybersecurity and what critical areas the management and its leaders should focus upon toachieve organisational cybersecurity objectives. However, this paper describes only the analysisand findings of the survey responses related to critical success factors for effective cybersecurityimplementation.The paper is organized as follows. Section I introduces Bhutans cybersecurity situation and thepurpose of the study; Section II describes cybersecurity related studies done in Bhutan, Section IIIpresents the research methods and materials; Section IV describes the data analysis and results;Section V provides brief description of study limitations followed by conclusion in Section VI.

2. LITERATURE REVIEWBecause the Internet in general and cybersecurity in particular are fairly new concepts orphenomena, cybersecurity related studies done in Bhutan is far and few.An E-Readiness study [16] was conducted in 2003 to assess Bhutans readiness to embrace andparticipate in the network economy and information society. The purpose of the study was toassess maturity levels in network, human, infrastructure and legal capacity. Countrys maturitylevel below certain threshold in any of these elements is considered as not ready. Knowing thestate of ICT development also provide directions where government need to focus and prioritizeits national efforts to improve the level of readiness. However, readiness in cybersecurity norchallenges facing Bhutan has been studied.One of the common mechanisms to counter cybersecurity challenges, especially cyber incidents,is to establish the Computer Incident Response Team (CIRT) [17]. In order to understand howdeveloping countries are managing and responding to cyber incidents, the InternationalTelecommunication Union (ITU) conducted assessment of CIRT covering India, Bhutan,Bangladesh and India [18]. The main objective of the study was to understand cybersecuritychallenges facing these countries, to document measures taken to respond to these challenges andto assess their capabilities to coordinate, respond and share information related to cyber incidents.However, this study was limited to cyber incident management capabilities. It has not assessedother security domains such cyber policy, organizational security and personnel security. Nor it

52

Computer Science & Information Technology (CS & IT)

has assessed which of security factors developing countries should implement to achieve maximalsecurity benefits.Another study assessing Bhutans cybersecurity capability and maturity was conducted by theGlobal Cyber Security Capacity Centre and the World Bank [19]. The study measured maturitylevels in five dimensions: i) policy and strategy, ii) culture and society, iii) education, training andskills, iv) law and regulation, and v) organization, standards and technology. The maturity levelsin each dimension were assessed based on five stages: start-up, formative, established, strategicand dynamic. The study findings suggest that Bhutan is at the start-up level of maturity, meaningthat Bhutan neither has a capacity nor has undertaken concrete actions with respect to somefactors in each dimension. While the study provides an understanding of cybersecurity in Bhutanfrom the national perspectives, it does not, however, provide specific insights and understandingof how government organizations have implemented cybersecurity activities. Further, theirresearch method is based on group discussion and analysis of available documents.In [20], a PKI based security framework was proposed for e-government platforms in Bhutan.The framework was derived from PKI solutions and best practices implemented in India, Koreaand Taiwan. Even though this study addresses security gaps for e-government platforms, thestudy is specific to the use of cryptography technologies as solution to the e-government securityissues. Moreover, they study used SWOT (Strengths, Weaknesses, Opportunities and Threats)method along with analysis of relevant policy documents.Recently, an overview of cybersecurity challenges facing Bhutan was presented in [11]. Based onthe analysis of available government reports and printed media, common cyber threats andchallenges (e.g., hacking and phishing) facing Bhutan were identified and documented. Thisstudy was based on a desk audit research method and content analysis, which largely involvesreviewing, collation and synthesis of information from secondary sources.Another recent study related to cybersecurity management was the assessment of cybersecuritypractices in the context of e-government implementation [12]. The study surveyed 280 potentialrespondents to assess the implementation of cybersecurity practices such as cyber policy, riskmanagement, and training and awareness. The study suggests that in most governmentorganizations there is very limited and/or complete lack of cybersecurity policy, riskmanagement, awareness and incident management implementation. It also indicates that manyorganizations have either suffered from or been affected by cybersecurity threats such as hacking,malware and phishing scams. While the study recommends implementation of both managerialand technological solutions, it does not say which are the few key things government shoulddecide and take action to achieve maximum benefits from security investments.

3. METHODS AND MATERIALS

3.1. Sample and ProcedureA formal approval was sought from the Secretary of the Ministry of Information andCommunications (MoIC), Bhutan to provide the contact list of ICT professionals working invarious government organisations. Contact addresses of ICT professionals were, then, obtainedfrom the Department of IT and Telecom under the ministry. Emails with a link to the survey weresent to the 280 potential respondents. A follow-up e-mail was sent after one month to improve thesurvey response rate.

Computer Science & Information Technology (CS & IT)

53

3.2. InstrumentAn online survey questionnaire was used to collect data for this study. Survey Monkey was usedto design and develop the survey questionnaire. Information related to objectives, confidentialityand consent to participate were included in the survey. The survey also has the option forwithdrawal in the case that respondents changed their mind midway through the survey. Thesurvey involved 280 participants. They were asked an open-ended question to list at least 3critical success factors for cybersecurity program in government organisations. Prior to the actualsurvey, the questionnaire was pre-tested with 10 senior ICT professionals who were studyingabroad in different countries. Further, the survey instrument was reviewed and approved by theMurdoch Ethics Committee to ensure its appropriateness to the research and that the risk factorsto the participants were duly considered, especially their privacy and confidentiality.

4. RESULTS4.1. Response RateElectronic mail invitations were sent to potential survey participants to participate in the onlinesurvey study. Of 280 respondents, 157 of them responded to the survey. That means that theresponse rate was about 56% (157/280). However, not all participants who responded to thesurvey answered all the survey questions. There were only 109 respondents who fully completedthe questionnaire. Therefore, the completion rate of the responses was about 69% (109/157).

4.2. Demographic Characteristics

The demographic data is shown in Table 1. Survey participants can be characterised as mostlyyoung with their age ranging from 25 to 34. Most of the participants have a bachelor degreeclosely followed by diploma and master degree. Their expertise and speciality is mostly in thefield of Information Technology, Computer Science and Computer Applications. In terms ofgender, more than 68% of participants were male while female participants constituted about 31%of survey responses.Table 1. Demographic characteristics of survey respondents

4.3. Analysis4.3.1 Data Pre-processingThe responses to open-ended questions were analysed using NVivo software. Prior to importingthe data into the NVivo program, responses were pre-processed to ensure that non-response itemsor partially completed responses were removed. Responses were also processed to ensure thatwords and phrases were correctly spelled and formatted. For example, budget top management isseparated as budget and top management or budget, top management. This process improved thequality and accuracy of the data. In addition, responses were categorized into codable texts andclassifiable texts. Coding can be performed only on codable texts while classifiable texts can beused for answering multiple questions or to perform demographic comparisons as male versusfemale.

Figure 1. Themes coded from qualitative data

4.3.2. Coding Themes

The coding of qualitative data was performed using the In Vivo Coding method [21]. Thismethod is used to code themes emerging from the codable texts of responses. In other words, itallows texts to be coded using words and phrases found in the qualitative data. For example, asquestion 4 is related to success factors for cybersecurity implementation in Bhutan, this question

Computer Science & Information Technology (CS & IT)

55

is broadly coded as Critical Success Factors under which further sub-themes are categorized.Within this broad category, sub-themes such as awareness and training, security policy andstandards, and top management can be categorized. Within the sub-category, for example,training and awareness, there are sub-sub-themes such as seminars, workshops, advocacy,training, etc. These sub-sub-themes constitute or aggregate into abstract concept of training andawareness, which further can be abstracted as one to critical success factors for effectivecybersecurity implementation. The resulting coded themes from the qualitative data is shown inFigure 1.Table 2. Critical success factors for cybersecurity.Critical Success Factors

Frequency

Percentage*(n=109)51%

Awareness and Training

56

Security Policy and Standards

30

28%

Security Budget

23

21%

Top Management

22

20%

Security Infrastructure

15

14%

Security Audit

11

10%

Security Responsibilities

8%

Organizational Structure

7%

Security Experts

3%

Change Management

3%

Communication and Collaboration

1%

*rounded to nearest percent

4.4. Key Findings

As different countries face different cybersecurity challenges, the idea was to solicit andunderstand the prerequisites to cybersecurity implementation success. Therefore, respondentswere asked to list at least three critical success factors for cybersecurity in their organisation. Thesurvey results show, see Table 2, that the top five cybersecurity success factors for governmentorganisations are:

Awareness, training and education.

Security policy, standards and procedures.

Cybersecurity financing and resources.

Top management support for cybersecurity.

Cybersecurity audit and compliance.

Nearly, 51% (56/109) of respondents believe that government organizations should focus onawareness and training to make cybersecurity a success. Another 27% (30/109) of respondentsbelieve that management should establish policy and standards while 21% (23/109) ofrespondents think that sufficient budgetary commitment to cybersecurity initiatives will helpgovernment organizations to achieve their organizational security objectives. Respondents alsoidentified top management (20%) and security infrastructure (14%) as the fourth and the fifthcritical success factors for cybersecurity implementation.

56

Computer Science & Information Technology (CS & IT)

4.5. Recommendations4.5.1. Awareness and TrainingIn [22], Fadi argues that educating and training users is must to combat IT security threats. Hebelieves improving the security awareness among the normal users can prevent them becomingthe weakest link in any organization or becoming an easy and soft target for the cyber criminals[22]. Awareness and training is also important for the legitimate users because people withauthorized privilege and access rights bypassed rules to trade-off security against usability, peoplesometimes make biased decision, so that they gain maximum benefits for the cost of action ordecision [23]. Close to 51% of survey respondents believe that awareness and training is thetopmost critical success factor that can help government organizations to improve cybersecurityto achieve its business goals and objectives.4.5.2. Cybersecurity PolicyAccording to [24], policy in general refers to a plan or a course of action that influence anddetermine decisions, actions and other matters of government, organization and business. In thecontext of cybersecurity, it is a formal statement of set of rules that dictate acceptable andunacceptable behaviour within an organization. In other words, the security policy is thefoundation for planning, management and maintenance of cybersecurity. Policy drives theimplementation of standards which further drives the implementation of practices, procedures andguidelines. Further, policy is a living document that has to be flexible, adaptable and constantlyreviewed to reflect the change in environment. The survey results show that nearly 28% ofrespondents believe that cybersecurity policy is the second most important critical factor to ensurethe success of cybersecurity implementation.4.5.3. Security BudgetBudget underlies any policy initiatives to be undertaken by any government. Without budget andfinancial resources, it would be impossible to initiate any development activities and implementthem successfully. The survey finding suggests that security budget (21%) is the third mostimportant factor that the Bhutanese government should consider while implementingcybersecurity. Budget is central to other priority areas such as training and awareness, securitypolicy and security infrastructure. Without budgetary commitment and resources, none of thesecritical factors can be implemented successfully.4.5.4. Top Management SupportThe success of cybersecurity efforts depends to a large extent on the commitment and support ofthe top management [25, 26]. Managerial issues are regarded as the most important securityissues and requires management involvement to solve. In a worldwide survey conducted byKnapp et al, [27] found that top management support to be the highest ranked issue among a listof 25 information security issues. Top managements support and commitment is not onlysignificant to planning, executing and governing of security decisions, but also important todemonstrate to security communities and stakeholders that their investment into security benefitsthem. Therefore, it is important for any organization to have competent and abled securitymanagers to lead the security governance. Nearly, 20% of survey respondents identifiedmanagement support as of one the critical success factors that government organization shouldconsider for cybersecurity.

Computer Science & Information Technology (CS & IT)

57

4.5.5. Security Infrastructure

Security infrastructure such as hardware and software (e.g., firewalls and intrusion detectionsystems) are equally important to meet organizations security requirements and implementationof access controls. Cybersecurity is often considered to be technical issue more than managementissue. As a result, security mechanisms such as firewalls and antivirus solutions are widelyimplemented to protect information resources from security breaches. The survey results showthat 14% of respondents view security infrastructure as the success factor for cybersecurity.The study, therefore, recommends government organization to consider and adopt these criticalsuccess factors as priority areas to improve cybersecurity in Bhutan.

5. DISCUSSIONSCybersecurity may be global in nature but is highly localised to specific organisation in aparticular country. No two countries have the same cybersecurity context and the level ofmaturity [28, 29]. Developing countries such as Bhutan, as described in the literature review, areat a different level of cyber maturity.The survey results provide a broad perspective of cybersecurity and in particular the direction inwhich government in Bhutan needs to proceed in cybersecurity implementation. The criticalsuccess factors described in the survey findings are identified by the ICT professionals engaged inICT activities in Bhutan. Therefore, it reflects the practical cyber challenges and the requirementsto improve cybersecurity. The top two priorities identified in the survey were awareness andtraining, and security policy and standards. This suggests that most ICT professionals believe thatthe majority or most serious issues may be solved within the surveyed group. While there aresome who believed that internal or external factors such as security budget, top management andsecurity infrastructure were important, it is promising that the majority of staff were notexternalising the problem.Success factors in information security implementation in government organisations in Oman wasexplored based on information security experts view [30]. The five success factors identified inthe study were: 1) Awareness and Training, ii) Management Support, iii) Budget, iv) InformationSecurity Policy Enforcement and Adaptation, and v) Organisations Mission. Another studycarried out in Irans Municipal Organisations based on the view of experts in the studiedorganisations suggests that top management support, information security policy and awarenessand training programs are the most important success factors in implementing informationsecurity management systems. Furthermore, an empirical study [27] based on the survey of 874certified information systems security professionals (CISSPs) suggest that top management,security budget and security awareness are among top ten information security issues. Anotherexploratory research of Yanus and Shin [31] suggests that security technologies, top managementsupport and information awareness and training are factors critical for successful implementationof information awareness program.The findings of this study in Bhutan shares many similarities and commonalities of successfactors that are critical for successful implementation of cybersecurity and security relatedprograms.This survey was limited only to government organisations. Including survey participants from thecorporate and private organisations may have led to different perspective and thinking.Furthermore, inclusion of survey participants of non ICT personnel may result in differentfindings. However, the survey results provide a list of conceptual areas which may be further

58

Computer Science & Information Technology (CS & IT)

investigated to validate their importance to cybersecurity effectiveness. Future work may includeother organisations and groups to confirm the applicability of the reported success factors.

6. CONCLUSIONSThis paper presents the results of open-ended survey exploring critical success factors forcybersecurity implementation. This study has surveyed 159 Bhutanese ICT professionals aboutthe key factors for Cyber security success. The results suggest that the top five priorities, in orderof reported importance, are:a) awareness, training and education ICT professionals who are responsible for cybersecurityand ICT users affected by security issues must be made aware of their security responsibilitiesand trained in cybersecurity technologies,b) policy, standards and procedures policy is the cornerstone for planning and executingcybersecurity initiatives, while standards and procedures are necessary to achieve policyobjectives and organisational vision,c) Cybersecurity budget budgetary commitment is essential not only for investment incybersecurity technologies and infrastructure, but also for policy implementation and conductionof cybersecurity training and awareness,d) top management support competent leadership drives the success of the organisation. Topmanagement support is essential to get the stakeholders support and secure budget forcybersecurity,e) security infrastructure effective cybersecurity needs security controls and tools (e.g.,firewalls and antivirus) to mitigate cyber risk and prevent security breaches, andf) cybersecurity audit process compliance to cyber rules, policies and data standards are equallyimportant. Cybersecurity audit process ensures that organisations meet the security requirementsand remain up to date with changing environment.The outcome of this research will have significant impact to both governmental organization andnon-governmental organizations in terms of understanding the limited number of areas in whichsatisfactory results will ensure successful competitive performance for the individual, departmentor organisation. If implemented successfully, these factors would not only improve cybersecurityby reducing security breaches, but also meet organisational goals. However, the identified factorsneed to be further validated using different tools and techniques.

ACKNOWLEDGEMENTSThe authors would like to thank Miss Dechen Chhoeden, Department of IT and Telecom for herkind support for providing us with the contact list of ICT professionals.

AUTHORSPEMA CHOEJEYPema Choejey is currently studying Doctor of Philosophy (Ph.D) in InformationTechnology, School of Engineering and IT at Murdoch University, Australia. He hasbachelor degree in Electronics and Communications Engineering from PSG Collegeof Technology, Bharathiar University, India and master of science in InformationTechnology from King Mongkuts University of Technology, Thailand. Prior tobecoming a Ph.D student, he worked as the Chief ICT Officer and Head of ResearchDivision for the Department of Information Technology and Telecom under theMinistry of Information and Communications, Bhutan.CHUN CHE FUNGChun Che Fung received his B.Sc.(Hon.) and M.Eng. degrees from the University ofWales in 1981 and 1982 respectively. He was awarded a Ph.D degree from theUniversity of Western Australia in 1994. Currently, he is Professor Emeritus at theSchool of Engineering and Information Technology, Murdoch University. Prior to hispresent position, he worked as Associate Professor and Associate Dean of Research atMurdoch University (2003-2015), Senior Lecturer at the School of Electrical andComputer Engineering, Curtin University (1988 to 2002), and the Department ofElectronic and Communication Engineering, Singapore Polytechnic (1982 to 1988).His research interests are computational intelligence techniques and intelligent systems applications forpractical problems.

Computer Science & Information Technology (CS & IT)

DAVID MURRAYDavid Murray received his Ph.D degree from Murdoch University. Currently, he isSenior Lecturer at the School of Engineering and Information Technology at MurdochUniversity. His research interests are in wireless networks, data communications andsecurity. He has published in the areas of TCP Performance Enhancing Proxies, Wi-Fiperformance, fast roaming, network measurement, routing protocols and security.